dpa

avatar
Created by
Charmaine Magnaye

Cards (67)

  • The Data Privacy Act (DPA) of 2012 (RA 10173) protects individual personal information in information and communications systems in the government and the private sector, and creates the National Privacy Commission
  • Data subject
    An individual whose personal information is processed
  • Consent of the data subject
    Any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him/her
  • Filing system
    Any act of information relating to natural or juridical persons that is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular person is readily accessible
  • Information and communications system
    A system for generating, sending, receiving, storing or otherwise processing electronic data messages or electronic documents, including the computer system or other similar device by or which data is recorded, transmitted or stored and any procedure related to the recording, transmission or storage of electronic data, electronic message or electronic document
  • Personal information
    Any information from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual
  • Privileged information
    Any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication
  • Sensitive personal information
    Personal information about an individual's race, ethnic origin, marital status, age, color, religious, philosophical or political affiliations, health, education, genetic or sexual life, or any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings, or issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns, or specifically established by an executive order or an act of Congress to be kept classified
  • Personal information controller (PIC)

    A person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf
  • Data processing systems
    The structure and procedure by which personal data is collected and further processed in an information and communications system or relevant filing system, including the purpose and intended output of the processing
  • Personal information processor (PIP)
    Any natural or juridical person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject
  • Processing
    Any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. It may be performed through automated means, or manual processing, if the personal data are contained or are intended to be contained in a filing system
  • Data sharing
    The disclosure or transfer to a third party of personal data under the custody of a personal information controller or personal information processor. In the case of the latter, such disclosure or transfer must have been upon the instructions of the personal information controller concerned. The term excludes outsourcing, or the disclosure or transfer of personal data by a personal information controller to a personal information processor
  • Profiling
    Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements
  • Personal data breach
    Breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed
  • Security incident

    An event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity and confidentiality of personal data. It includes incidents that would result to a personal data breach, if not for safeguards that have been put in place
  • A personal information controller may subcontract or outsource the processing of personal data, and such processing shall be governed by a contract or other legal act that binds the personal information processor to the personal information controller
  • National Privacy Commission (NPC)
    • Protects individual personal information and upholds the right to privacy by regulating the processing of personal information. It is an independent body mandated to administer and implement the Data Privacy Act, and to monitor and ensure compliance with personal data protection standards
  • Functions of the National Privacy Commission
    • Rule making
    • Advisory
    • Public education
    • Compliance and monitoring
    • Compliance and investigation
    • Enforcement
    • Other functions
  • The National Privacy Commission is attached to the Department of Information and Communication Technology (DICT) and shall be headed by a Privacy Commissioner, who shall also act as Chairman of the Commission. The Privacy Commissioner shall be assisted by two Deputy Privacy Commissioners
  • The Data Privacy Act of 2012 applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing, including those who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines
  • Entities covered by the Data Privacy Act
    • Government institutions
    • Large corporations and conglomerates
    • Small to medium enterprises
  • The Data Privacy Act protects all forms of information that are personal, sensitive, and privileged
  • Exclusions from the coverage of the Data Privacy Act
    • Information about government officers/employees relating to their position or functions
    • Information about individuals performing services under contract for a government institution relating to the services performed
    • Information relating to any discretionary benefit of a financial nature given by the government to an individual
    • Personal information processed for journalistic, artistic, literary or research purposes
    • Information necessary to carry out the functions of public authority
    • Information necessary for banks and other financial institutions to comply with applicable laws
    • Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions
  • The Data Privacy Act applies extraterritorially to an act done or practice engaged in and outside of the Philippines by an entity if the act, practice or processing relates to personal information about a Philippine citizen or resident, or the entity has a link with the Philippines and is processing personal information in or about the Philippines
  • The law requires the Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510 and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws
  • Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, is being processed in the Philippines
  • Extraterritorial application
    This Act applies to an act done or practice engaged in and outside of the Philippines by an entity if:
    • The act, practice or processing relates to personal information about a Philippine citizen or a resident
    • The entity has a link with the Philippines, and the entity is processing personal information in the Philippines or even if the processing is outside the Philippines as long as it is about Philippine citizens or residents
    • The entity has other links in the Philippines such as carrying on business in the Philippines or the personal information was collected or held by an entity in the Philippines
  • The Commission shall ensure at all times the confidentiality of any personal information that comes to its knowledge and possession
  • Privileged communication
    Personal information controllers may invoke the principle of privileged communication over privileged information that they lawfully control or process. Subject to existing laws and regulations, any evidence gathered on privileged information is inadmissible
  • The personal information controller or personal information processor shall uphold the rights of data subjects, and adhere to general data privacy principles and the requirements of lawful processing
  • The burden of proving that the Act and these Rules are not applicable to a particular information falls on those involved in the processing of personal data or the party claiming the non-applicability
  • In all cases, the determination of any exemption shall be liberally interpreted in favor of the rights and interests of the data subject
  • Nothing in this Act shall be construed as to have amended or repealed the provisions of Republic Act No. 53, which affords the publishers, editors or duly accredited reporters of any newspaper, magazine or periodical of general circulation protection from being compelled to reveal the source of any news report or information appearing in said publication which was related in any confidence to such publisher, editor or reporter
  • Security of personal information
    The personal information controller must implement reasonable and appropriate organizational, physical and technical measures intended for the protection of personal information against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing
  • Principle of accountability
    Each personal information controller is responsible for personal information under its control or custody, including information that have been transferred to a third party for processing, whether domestically or internationally, subject to cross-border arrangement and cooperation
  • Risk-based approach

    When an organization collects, stores, or uses (i.e. processes) personal data, the individuals whose data you are processing may be exposed to risks. It is important that the organization should take steps to ensure that the data is handled legally, securely, efficiently and effectively in order to deliver the best possible care
  • General data privacy principles
    1. Transparency - The data subject must be aware of the nature, purpose, and extent of the processing of his or her personal data, including the risks and safeguards involved, the identity of personal information controller, his or her rights as a data subject, and how these can be exercised. Any information and communication relating to the processing of personal data should be easy to access and understand, using clear and plain language.
    2. Legitimate purpose - The processing of information shall be compatible with a declared and specified purpose which must not be contrary to law, morals or public policy.
    3. Proportionality - The processing of information shall be adequate, relevant, suitable, necessary and not excessive in relation to a declared and specified purpose. Personal data shall be processed only if the purpose of the processing could not reasonably be fulfilled by other means.
  • The law requires that any entity involved in data processing must develop, implement and review procedures for the collection of personal data, obtaining consent, limiting processing to defined purposes, access management, providing recourse to data subjects, and appropriate data retention policies
  • These requirements necessitate the creation of a privacy program. Requirements for technical security safeguards in the act also mandate that an entity have a security program